CVE-2024-51996

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-51996
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-51996.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-51996
Aliases
Downstream
Published
2024-11-13T16:18:49Z
Modified
2025-10-22T18:45:33.460121Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Symphony has an Authentication Bypass via RememberMe
Details

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.

Database specific 
{
    "cwe_ids": [
        "CWE-287",
        "CWE-289"
    ]
}
References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
bc3abacc8bed6ca1e6924bed48580b85eccf4e82
Fixed
d869cc180cf38d3848feff1dcf38fefaecfd8177
Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
67778bf0d384584bc59bb618a91ef6b08e9153c6
Fixed
cfb00ec539f6a3b5a9fb43c8cba67a21725e8937
Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
ed57652df42aef294f411ef53dcfa5d6b7da2f90
Fixed
fa8dfde81afc7854283eb4c0261213dc098d4930

Affected versions

v4.*

v4.4.25
v4.4.26
v4.4.27
v4.4.28
v4.4.29
v4.4.30
v4.4.31
v4.4.32
v4.4.33
v4.4.34
v4.4.35
v4.4.36
v4.4.37
v4.4.38
v4.4.39
v4.4.40
v4.4.41
v4.4.42
v4.4.43
v4.4.44
v4.4.45
v4.4.46
v4.4.47
v4.4.48
v4.4.49
v4.4.50
v4.4.51

v5.*

v5.2.10
v5.2.11
v5.2.12
v5.2.13
v5.2.14
v5.3.0
v5.3.1
v5.3.10
v5.3.11
v5.3.12
v5.3.13
v5.3.14
v5.3.15
v5.3.16
v5.3.2
v5.3.3
v5.3.4
v5.3.5
v5.3.6
v5.3.7
v5.3.8
v5.3.9
v5.4.0
v5.4.0-BETA1
v5.4.0-BETA2
v5.4.0-BETA3
v5.4.0-RC1
v5.4.1
v5.4.10
v5.4.11
v5.4.12
v5.4.13
v5.4.14
v5.4.15
v5.4.16
v5.4.17
v5.4.18
v5.4.19
v5.4.2
v5.4.20
v5.4.21
v5.4.22
v5.4.23
v5.4.24
v5.4.25
v5.4.26
v5.4.27
v5.4.28
v5.4.29
v5.4.3
v5.4.30
v5.4.31
v5.4.32
v5.4.33
v5.4.34
v5.4.35
v5.4.36
v5.4.37
v5.4.38
v5.4.39
v5.4.4
v5.4.40
v5.4.41
v5.4.42
v5.4.43
v5.4.44
v5.4.45
v5.4.46
v5.4.5
v5.4.6
v5.4.7
v5.4.8
v5.4.9

v6.*

v6.0.0
v6.0.0-BETA1
v6.0.0-BETA2
v6.0.0-BETA3
v6.0.0-RC1
v6.0.1
v6.0.10
v6.0.11
v6.0.12
v6.0.13
v6.0.14
v6.0.15
v6.0.16
v6.0.17
v6.0.18
v6.0.19
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1.0
v6.1.0-BETA1
v6.1.0-BETA2
v6.1.0-RC1
v6.1.1
v6.1.10
v6.1.11
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2.0
v6.2.0-BETA1
v6.2.0-BETA2
v6.2.0-BETA3
v6.2.0-RC1
v6.2.0-RC2
v6.2.1
v6.2.10
v6.2.11
v6.2.12
v6.2.13
v6.2.14
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.7
v6.2.8
v6.2.9
v6.3.0
v6.3.0-BETA1
v6.3.0-BETA2
v6.3.0-BETA3
v6.3.0-RC1
v6.3.0-RC2
v6.3.1
v6.3.10
v6.3.11
v6.3.12
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.3.8
v6.3.9
v6.4.0
v6.4.0-BETA1
v6.4.0-BETA2
v6.4.0-BETA3
v6.4.0-RC1
v6.4.0-RC2
v6.4.1
v6.4.10
v6.4.11
v6.4.12
v6.4.13
v6.4.14
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9

v7.*

v7.0.0
v7.0.0-BETA1
v7.0.0-BETA2
v7.0.0-BETA3
v7.0.0-RC1
v7.0.0-RC2
v7.0.1
v7.0.10
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.0.8
v7.0.9
v7.1.0
v7.1.0-BETA1
v7.1.0-RC1
v7.1.1
v7.1.2
v7.1.3
v7.1.4
v7.1.5
v7.1.6
v7.1.7